ComfyUI Automation
AdvisoryAudited by VirusTotal on Apr 14, 2026.
Overview
Type: OpenClaw Skill Name: comfyui-automation Version: 1.0.0 The skill bundle automates ComfyUI setup and execution, which involves high-risk operations such as shell command execution (git clone, pip install) and network access (wget) as described in SKILL.md. While these capabilities are plausibly needed for the stated purpose of installing and managing a ComfyUI environment, the instructions allow for the installation of arbitrary third-party 'Custom Nodes' and model weights, which could lead to remote code execution if directed at malicious sources. The included Python script scripts/analyze_models.py is benign and performs basic file existence checks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing third-party code can change the local workspace and run code when ComfyUI or its dependencies are used.
The skill instructs installing ComfyUI and Python dependencies from external sources. This is central to the skill's purpose, but users should trust and review those sources.
git clone https://github.com/comfyanonymous/ComfyUI.git ... pip install -r requirements.txt
Use trusted repositories, prefer pinned versions where possible, keep the virtual environment isolated, and review custom nodes before installing them.
A workflow that requires custom nodes may lead to installing additional third-party Python code in the ComfyUI environment.
Custom node installation is expected for ComfyUI workflows, but the repository is not specified or pinned, so the actual installed code is outside the reviewed artifacts.
locate the corresponding Custom Node repository, clone it into `ComfyUI/custom_nodes/`, and `pip install -r requirements.txt` inside its folder
Confirm the custom node repository with the user, inspect its source and requirements, and avoid installing unknown custom nodes automatically.